Things in Washington DC must really be bad if Deven McGraw, Chair of the Privacy and Security Tiger Team and member of the national Health IT Policy Committee, is speaking out so clearly about the lack of privacy protections in federal policy. She states in the article “2012: Time for Action on Health Privacy” that it’s time for HHS/ONC to change their “pattern” of “too much talk and not enough action” to protect privacy. Is there a privacy crisis? PPR thinks it’s critical to build privacy and patient control over data in up front. Now is the time!

“Consumers and patients support the electronic sharing of health information and are eager to experience the benefits of widespread adoption and use of electronic health records. Yet a substantial majority continue to express significant concerns regarding the impact of e-health on the privacy and security of their health information. According to a recent survey by the Markle Foundation, the privacy of health information is a significant concern for the American public and doctors who serve them.

Building and maintaining public trust in health IT and health information sharing will be critical to leveraging their benefits to improve individual and population health. The rhetoric from the Office of the National Coordinator for Health IT and HHS has been consistently strong on the importance of respecting the confidentiality of health information; however, with a few exceptions, the pattern has been too much talk and not enough action.”

Epsilon, the world’s largest email service provider, did not respond to 4 month-old warnings that their systems were vulnerable to hackers trying to access email deployment systems. Victims reported not only email addresses, but phone numbers were stolen. Some got hundreds of phone calls.

Everyone should expect very sophisticated “spear-phishing” attacks via email, where someone gets you to open an email by pretending to know you by using details from social media, etc.

2500 global companies like Citibank trusted Epsilon with sensitive details about millions of us, their customers.

Hospitals, insurers, pharmacies, and many unknown third parties/corporations/government agencies hold also data bases with millions of Americans’ sensitive financial and health records. Reports of health data breaches are soaring because securing data is very difficult and expensive.

Shouldn’t we demand that Congress and the federal government require and validate that all businesses holding health data have ironclad data security protections in place, BEFORE REQUIRING ever more data exchange, when we already know that healthcare systems are extremely vulnerable?

Shouldn’t health IT systems have ironclad security and require patient consent first? Shouldn’t the horse go before the cart?

Check out the latest proposed Federal Strategic Health IT Plan:
• it requires vast amounts of data-sharing NOW for a myriad of “meaningful uses” and other reporting without patient consent
• we still can’t see who accessed or used our health data because we can’t get audit trails of all disclosures yet, even though federal law (HITECH, 2009) requires that data holders give us a 3-year accounting of all disclosures if requested. This new consumer right and protection has not been implemented in regulations by HHS.
• See: ONC Announces open public comment period on the Federal Health IT Strategic Plan: 2011-2015

PPR will circulate comments for the Coalition for Patient Privacy to sign.